Another Trusted Zone *63.219.181.7 victim

Would you download and install Process Explorer, unzip and open, then click file>save as and put on your desktop. Open and copy\paste it here.

By the way, I didn't see any unusual services running, so shutting down won't be a problem if we don't get this resolved tonight.

Would you also try searching for some of those filenames in the registry, including the ones Lonny mentioned (with RegSeeker too). The key you did find and post is only Most Recently Used files. We need to see if we can find where they are being called from in the registry.

 

Hi
You sent mqbkup.exe and extrac32.exe, those appear lagit
were are looking for mqbckup.exe extrac16.exe
and these also. some of which are infact there, we can see them in your pv logs, they will be hidden possible super hidden

Only those found in system 32 , carefull with the spelling there are similur files
service.exe msacmx.dll d3dxov.dll winsrv32.dll
ieûnit.exe ipxroutex.exe rdshost32.exe rshe.exe net2.exe mqsvch.exe
dllhostxp.exe extrac16.exe mqbckup.exe
pxhping.exe rdpnr.exe slservc.exe clfmon.exe hdr.dll

Any you think should be added Dave ?

If its not already, Set windows to show hidden file's, folder and extensions
>click here for instructions<.

You might need to import this reg file to show superhidden
Run this registry script, which forces Windows to show so called "superhidden" files:
Copy the bolded below into Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files ")

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

This is only for XP or 2000 systems

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs "=dword:00000001
"SearchHidden "=dword:00000001
"IncludeSubFolders "=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden "=dword:00000001
"ShowSuperHidden "=dword:00000001

edit out the space in Curre ntVersion.


Untill we get back to you do fix this with hiajckthis. and delete that exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\whwuhksv.exe


Has regseeker been working OK for you ? if not we can get another tool.

 

No Lonny, I have no other filenames to add at this time.

jj, I would also like to know if you used Spybot to lock the internet control panel options?

 

jj,

If you wouldn't mind doing so, and your mail client will handle a large file (mine was about 3MB), would you run this command and mail the text file to me. Have sent email address via private message.

regedit.exe /e c:\MSCV.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

Don't forget to edit out the space in CurrentVersion. Thanks.

 

Dave - I did the registry dump and mine was quite a bit larger than that but it zip/crunches nicely.

 

Thanks Newt. My mail will handle up to 10MB attachments, so we should be safe.

I would guess you have alot of apps on your machine.

 

Dave, Lonny, multiple crashes later, I'm baaack.

Dave:

1. Followed instruction in your #22. Here's the Process Server text generated right afterward:

Process PID CPU Description Company Name
System Idle Process 0 100
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe 168 Windows NT Session Manager Microsoft Corporation
csrss.exe 196 Client Server Runtime Process Microsoft Corporation
winlogon.exe 216 Windows NT Logon Application Microsoft Corporation
services.exe 244 Services and Controller app Microsoft Corporation
Ati2evxx.exe 376
svchost.exe 452 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 500 Spooler SubSystem App Microsoft Corporation
msdtc.exe 536 MS DTC console program Microsoft Corporation
ISafe.exe 644
svchost.exe 660 Generic Host Process for Win32 Services Microsoft Corporation
PGPsdkServ.exe 700 PGP Software Development Kit Service PGP Corporation
tcpsvcs.exe 764 TCP/IP Services Application Microsoft Corporation
snmp.exe 788 SNMP Service Microsoft Corporation
VetMsg.exe 804 vetmsg Computer Associates International, Inc.
vsmon.exe 844 TrueVector Service Zone Labs Inc.
WinMgmt.exe 944 Windows Management Instrumentation Microsoft Corporation
svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 1928 Windows Update AutoUpdate Client Microsoft Corporation
inetinfo.exe 980 Internet Information Services Microsoft Corporation
mqsvc.exe 1004 Windows NT MQ Service Microsoft Corporation
msiexec.exe 2052 Windows® installer Microsoft Corporation
lsass.exe 256 LSA Executable and Server DLL (Export Version) Microsoft Corporation
Ati2evxx.exe 1544
Explorer.EXE 1576 Windows Explorer Microsoft Corporation
EXSHOW95.EXE 1664 Kensington MouseWorks Win32 Support Kensington Technology Group
EXSHOW.EXE 1644 Kensington MouseWorks Win32 Support Kensington Technology Group
SOUNDMAN.EXE 1676 Realtek Sound Manager Realtek Semiconductor Corp.
realsched.exe 1632 RealNetworks Scheduler RealNetworks, Inc.
ProDsl.exe 1656 Intel(R) PRO/DSL Connection Manager Intel Corporation
CAVTray.exe 1684 CaAv Tray Notification Application Computer Associates International, Inc.
CAVRID.exe 1692 CavRid Application Computer Associates International, Inc.
zlclient.exe 1712 Zone Labs Client Zone Labs Inc.
WZQKPICK.EXE 1720 WinZip Executable WinZip Computing, Inc.
AcroTray.exe 1748 AcroTray Adobe Systems Inc.
PGPtray.exe 1724 PGP System Tray Application PGP Corporation
procexp.exe 2024 Sysinternals Process Explorer Sysinternals
IEXPLORE.EXE 1016 Internet Explorer Microsoft Corporation
pxhping.exe 1376
mqbckup.exe 1936

Process: Procexp Pid: -2

Type Name

Note: the last 2 processes did not show in Task Manager.

Next, followed Lonny's advice in #22, thus:

1. Verified that Windows was already set to show hidden files folders and extensions.

2. Ran the script to force Windows to show superhidden files.

3. Found the following files in C:\WINNT\System32. I did this using RegLite, which worked finally after Windows corrected some file system or other after one of the reboots (RegSeeker kept crashing itself and Windows). The files followed by an * could also be seen/copied with Windows Explorer; they are the only ones I sent to Lonny. Need advice on how to retrieve the others, if wanted. Also, as RegLite found files/keys/whatever, not knowing what to do I bookmarked all the entries and exported the bookmark file. Mind you, I don't know how to open/use that bookmark file. You want it by email?

service.exe
msacmx.dll *
d3dxov.dll *
winsrv32.dll *
ieûnit.exe
ipxroutex.exe
rdshost32.exe
rshe.exe *
net2.exe *
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe *
pxhping.exe *
rdpnr.exe
slservc.exe *
clfmon.exe *
hdr.dll *

3. Fixed line 16 of HJT, manually deleted whwuhksv.exe from C:\Program Files\Internet Explorer\, and emptied the recycle bin.

Next, I used Process Explorer to end process/kill pxhping.exe and mqbckup.exe. You'd suggested in #16 I do that with Task Manager; no could do. No new funny process has started since.

Afterward (probably should have done it before), I ran the registry dump you asked for in #24 and have emailed the 1,270KB file to you.

Seems you folks work day and night. This computer is at my work, and I will probably not be back until monday (wife, dog, birthday, company). jj

 

Well, here it is jj.

For what it's worth, although the Ms4Hd export you did earlier on did not show any of the information I had expected, the CurrentVersion export you mailed to me did.

You should print this out and/or save it to text where you can access it in safe mode.

Download CWShredder from here. Double click to install.

Download, install and update Ad-aware. Link is in my signature. I also recommend you uninstall Adware Away. More information here.

Download the text file attached to this post, saving to the desktop. Rename with a .reg extension.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ls0.net/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://your-searcher.com/sp.htm
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com
O1 - Hosts: 3466709097 your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O15 - Trusted Zone: http://*.63.219.181.7

Reboot to safe mode. Scan with HJT again and look for the following run entry.

O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe

If found place a check next to it and fix. If not, open regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the clfmon string. (I know it's there because it's in the export you mailed to me)

Double click the new CWShredder shortcut on the desktop to open, close all other windows and click fix.

Double click the Ms4HdRem.reg file to merge to the registry.

Open C: and delete the !Submit folder.

Open C:\WINNT\System32, find and delete any of the following files present.

msmsgs.exe
service.exe
msacmx.dll
d3dxov.dll
winsrv32.dll
ie4unit.exe
ipxroutex.exe
rdshost32.exe
rshe.exe
net2.exe
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe
pxhping.exe
rdpnr.exe
slservc.exe
clfmon.exe
hdr.dll
msacmx.dll

Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.

Open Ad-aware and run in full scan mode. Remove everything it finds.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Reboot back to Windows.

Open RegSeeker and click 'clean registry'. I generally recommend deleting everything it finds, and have not had any problems doing so. Run again and again until nothing else is found. You might also want to use the Histories function to clear URLs, cookies, stream MRU keys, etc.

Reboot, scan your PC with RAV. If any files are infected, click the report button then copy and paste it here, along with a new HijackThis log. (we need to see a new HJT log regardless)

Did you use Spybot to lock the IE Options control panel?

By all means, send me the RegLite bookmarks file too.

 

Dave, my results/remarks are bolded among your previous post's instructions, below.

Download CWShredder from here. Double click to install. Done.

Download, install and update Ad-aware. Link is in my signature. Done. I also recommend you uninstall Adware Away. More information here. Done.

Download the text file attached to this post, saving to the desktop. Rename with a .reg extension. Done.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix. Done, but see below.

[Your list omitted.]

Upon clicking Fix and confirming Yes, HijackThis generated nine error messages. All reported Error #55. The relevant part of the first reads:

An unexpected error has occurred at procedure: modMain_FixOther1Item(sItem=O1 - Hosts: 3466709097 sitefinder-idn.verisign.com)
Error #55 - File already open

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.2

The others differ only in what follows "Hostsâ€, thus:

2: 3466709097 sitefinder-idn.verisign.com
3: 3466709097 www.your.com
4: 3466709097 your.com
5: 3466709097 com.org
6: 3466690378 ad.doubleclick.net
7: 3466690378 view.atdmt.com
8: 3466690378 click.atdmt.com
9: 3466690378 leader.linkexchange.com

Reboot to safe mode. Scan with HJT again and look for the following run entry. Done.

O4 - HKLM\..\Run: [clfmon.exe] clfmon.exe

If found place a check next to it and fix. Not found. If not, open regedit and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
and delete the clfmon string. (I know it's there because it's in the export you mailed to me) Not found there either.

Double click the new CWShredder shortcut on the desktop to open, close all other windows and click fix. Done.

Double click the Ms4HdRem.reg file to merge to the registry. Done.

Open C: and delete the !Submit folder. Not found.

Open C:\WINNT\System32, find and delete any of the following files present. Done. Those marked * were present

msmsgs.exe
service.exe
msacmx.dll *
d3dxov.dll *
winsrv32.dll *
ie4unit.exe *
ipxroutex.exe
rdshost32.exe
rshe.exe *
net2.exe *
mqsvch.exe
dllhostxp.exe
extrac16.exe
mqbckup.exe *
pxhping.exe *
rdpnr.exe
slservc.exe
clfmon.exe *
hdr.dll *
msacmx.dll

Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old Done.
Open C:\Temp if present, select all and delete. Not present.
Open C:\Windows\Temp, select all and delete. I have no C:\Windows folder, but did this to C:\WINNT\Temp.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Done. Do this for all usernames. Only 1 user, Administrator, had a Local Settings\temp folder with contents. All Users had no temp folder; the Default User’s temp folder was empty.

Open Ad-aware and run in full scan mode. Remove everything it finds. Ad-aware was not operable in safe mode. It would start up but no button on the opening dialog would function.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK. Done. There was no compress old files box.

Reboot back to Windows. Done. At this point I ran Ad-aware in full scan mode and deleted everything it found.

Open RegSeeker and click 'clean registry'. I generally recommend deleting everything it finds, and have not had any problems doing so. Done. Run again and again until nothing else is found. Done. Took two passes. You might also want to use the Histories function to clear URLs, cookies, stream MRU keys, etc. Done. Two cookies in the IE history cache failed to delete. They are, of course:

VISITED:
Administrator@http://www.girlsforgames.com/poker.html
Last access : 11/18/2004 3:48:02 PM Expire on : 11/29/2004 3:48:02 PM

VISITED:
Administrator@http://www.findspyware.net/scan.php
Last access : 11/18/2004 4:11:40 PM Expire on : 11/29/2004 4:04:30 PM

Maybe I should just take a vacation until then (I wish.)

Reboot, scan your PC with RAV. If any files are infected, click the report button then copy and paste it here, along with a new HijackThis log. (we need to see a new HJT log regardless) Done, both follow.

RAV report:

Scan started at 11/23/2004 11:07:34 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\PMAIL\MAIL\FOL020B6.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
C:\PMAIL\MAIL\P450A0.CNM->(part0000: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\PMAIL\MAIL\FOL00CD1.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\PMAIL\MAIL\FOL00CD1.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
C:\Pmail mail\FOL00CD1.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Pmail mail\FOL00CD1.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
C:\Pmail mail\FOL020B6.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\install.htm - HTML/DialogArg.B* -> Infected
E:\pmail\MAIL\FOL020B6.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\pmail\MAIL\P450A0.CNM->(part0000: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\pmail\MAIL\FOL00CD1.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\pmail\MAIL\FOL00CD1.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
E:\WINFAX\MACROS\WORD60.DOC - WM/Generic -> Suspicious
E:\Pmail mail\FOL00CD1.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\Pmail mail\FOL00CD1.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
E:\Pmail mail\FOL020B6.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\…\photoGlow.exe - Win95/CIH.remnants -> Infected

Scanned
============================
Objects: 64603
Directories: 3998
Archives: 2742
Size(Kb): 1860995
Infected files: 16

Found
============================
Viruses found: 8
Suspicious files: 1
Disinfected files: 0
Mail files: 14817

Note: I have edited out several s in the above by inserting a space between : and ) where they were adjacent.


Logfile of HijackThis v1.98.2
Scan saved at 12:17:24 PM, on 11/23/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\My download files\Anti-virus, hijack, etc admin tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com
O1 - Hosts: 3466709097 your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .swf: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npswf32.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35C49DEC-5288-4944-AFC5-1A7D0B51A5A5}: NameServer = 198.182.207.3 198.187.188.2
O19 - User stylesheet: (file missing)


Did you use Spybot to lock the IE Options control panel? Yes, I did that a short while before my opening post in this thread but was soon obliged for some reason to unlock it and since then have left it unlocked.

By all means, send me the RegLite bookmarks file too. Done.

If rebooting will botch a proposed solution, then I may need a work-around because my internet connection is frequently disrupted and when that happens a reboot is usually necessary before I can reconnect. jj

 

You might want to install Move-on-Boot to get those cookies. RegSeeker will show their location. Once installed, you have a new right click option for files to 'Delete on Next Boot'. Use it to tag those two files.

Appears you have a few saved email files to locate and delete.

Scan with HJT again and fix the following.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Download the HostsFileReader and unzip, then open. Click Scan for Hosts. Click each result and then Use Notepad. When you find the one with those entries, delete it. The default location is c:\winnt\system32\drivers\etc\hosts, and will look similar to the below text.


# Copyright (c) 1998 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost


You can click Reset Default to replace the original if needed.

Then open Spybot, click mode on the toolbar, then advanced. Click tools in the left pane, then IE Tweaks and lock the hosts file.

Reboot.

Follow up with another RAV scan and new HJT log.

 

Dave, we seem to be making progress: no redirects or popups since the last adjustments. I hope the rest is mopping-up. Same format below as my last reply.

You might want to install Move-on-Boot [Done.] to get those cookies.

RegSeeker will show their location. Once installed, you have a new right click option for files to 'Delete on Next Boot'. Use it to tag those two files. [All Right-click options for those cookies in RegSeeker are grayed-out. Unless I'm missing something, the only location RegSeeker shows me (and only shows it on a print of the IE History Cache Cookies page) is: "(Index.dat) ". Of such files I have a few. I tagged these two:

C:\Documents and Settings\Administrator\Cookies\Index.dat [96Kb]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Index.dat [7,600Kb]

Also I found a "findspyware (www[nolink,thanks].findspyware.net)" entry in C:\Documents and Settings\Administrator\Local Settings\History\Monday, but no right-click option to move-on-delete, only Open or Delete. Left this entry alone for now.]

Appears you have a few saved email files to locate and delete. [Done.]

Scan with HJT again and fix the following.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[Done.]

Download the HostsFileReader and unzip, then open. Click Scan for Hosts.
Click each result and then Use Notepad. When you find the one with those
entries, delete it. The default location is
c:\winnt\system32\drivers\etc\hosts, and will look similar to the below text.

# Copyright (c) 1998 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost

[Done, but I had three in that folder:

hosts
hosts.20040913-152159.backup
hosts.20040913-152218.backup

None had the comment text you described, instead each had the entries shown in the notepad text pulled up by HostsFileReader plus two SpyBot comments:

3466709097 sitefinder.verisign.com
3466709097 sitefinder-idn.verisign.com
3466709097 www[no link, thanks].your.com
3466709097 your.com
3466709097 com.org
3466690378 ad.doubleclick.net
3466690378 view.atdmt.com
3466690378 click.atdmt.com
3466690378 leader.linkexchange.com
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy]

You can click Reset Default to replace the original if needed.

[Doesn't seem needed. They're gone. ]

Then open Spybot, click mode on the toolbar, then advanced. Click tools in
the left pane, then IE Tweaks and lock the hosts file.

[Done, I guess. That wasn't possible in my SpyBot 1.2 so I downloaded and updated 1.3, in which the host file lock setting was already checked. However before installing 1.3 I did not resist a temptation to use 1.2 to change one about:blank and one other funny start page to google. Sorry.]

Reboot. [Done. On shutdown IE sqwauked about some error and said to restart the program. I declined that advice, hit cancel and rebooted.]

Follow up with another RAV scan and new HJT log. [Done. See both below. The recycled entries in C: I understand, but the reappearance of mail I deleted makes me ]

RAV scan report:

Scan started at 11/24/2004 2:40:36 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Recycled\Dc2.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
C:\Recycled\Dc3.CNM->(part0000: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Recycled\Dc4.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Recycled\Dc4.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
C:\Pmail mail\FOL00CD1.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
C:\Pmail mail\FOL00CD1.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
C:\Pmail mail\FOL020B6.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\RECYCLED\De1.htm - HTML/DialogArg.B* -> Infected
E:\RECYCLED\De2.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\RECYCLED\De3.CNM->(part0000: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\RECYCLED\De4.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\RECYCLED\De4.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
E:\RECYCLED\De5.DOC - WM/Generic -> Suspicious
E:\RECYCLED\De6.PMM->(part0044: )->(IFRAME0000) - HTML/IFrame_Exploit* -> Infected
E:\RECYCLED\De6.PMM->(part0045:the.pif) - Win32/Klez.H@mm -> Infected
E:\RECYCLED\De7.PMM->(part0025:Cert Opp 2nd Draft.doc) - W97M/Class.D -> Infected
E:\RECYCLED\De8.exe - Win95/CIH.remnants -> Infected

Scanned
============================
Objects: 60181
Directories: 3936
Archives: 2749
Size(Kb): 1459041
Infected files: 16

Found
============================
Viruses found: 8
Suspicious files: 1
Disinfected files: 0
Mail files: 14838

[Note: I again inserted a space wherever : and ) were adjacent to avoid s.]


Logfile of HijackThis v1.98.2
Scan saved at 3:36:06 PM, on 11/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\My download files\Anti-virus, hijack, etc admin tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .swf: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npswf32.dll
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35C49DEC-5288-4944-AFC5-1A7D0B51A5A5}: NameServer = 198.182.207.3 198.187.188.2
O19 - User stylesheet: (file missing)


I'll be away tomorrow. Have a happy Thanksgiving! jj

 

Hope I didn't confuse you with the Move-on-Boot/RegSeeker thing. MOB is what gives you the new right click option, when clicking on a file. I only meant for RegSeeker to be used for identifying the file's(s) location in your reply about the undeletable cookies,

VISITED:
Administrator@http://www.girlsforgames.com/poker.html
Last access : 11/18/2004 3:48:02 PM Expire on : 11/29/2004 3:48:02 PM

VISITED:
Administrator@http://www.findspyware.net/scan.php
Last access : 11/18/2004 4:11:40 PM Expire on : 11/29/2004 4:04:30 PM

There should have been a directory path shown below each entry.

Safe to just delete the history entry.

If you deleted the HOSTS files, then you are probably left without one. Search again with the reader and if not one in the default location, click use default. (May have to uncheck the lock in Spybot first. Strange to me that it would already be locked if not present though. ) Then, in Spybot, click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, again lock the HOSTS file. You could again lock the IE control panel if you want too.
Then download and install IESpyad.

That will give you an added layer of protection against unwanted parasites.

Fix the following with HJT.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O19 - User stylesheet: (file missing)

Run disk cleanup on E: drive. Use right click delete on next boot option to tag the mail files on both drives, empty the recycle bin and reboot. Run another scan and post new logs, HJT included.

If you get another shutdown error out of IE, click the details button and post the info please.

Happy Turkey Day to you too.

 

Dave, same format as before.

Hope I didn't confuse you with the Move-on-Boot/RegSeeker thing. MOB is what gives you the new right click option, when clicking on a file. I only meant for RegSeeker to be used for identifying the file's(s) location in your reply about the undeletable cookies,

VISITED:
Administrator@http://www.girlsforgames.com/poker.html
Last access : 11/18/2004 3:48:02 PM Expire on : 11/29/2004 3:48:02 PM

VISITED:
Administrator@http://www.findspyware.net/scan.php
Last access : 11/18/2004 4:11:40 PM Expire on : 11/29/2004 4:04:30 PM

There should have been a directory path shown below each entry.

[Apparently you did not confuse me. RegSeeker shows only the exact text above, with no directory path shown below either entry. I assume we are running the same version (1.35 beta build 1203). I notice, though that the RegSeeker > Histories > IE History Cache Cookies listing shows at least three types of entries: HTTP:, COOKIE:, and VISITED:. Only entries of the first two types include a directory path; whereas the undeletable girlsforgames and findspyware entries, of the third type, do not. By the way, the lack of a directory path is not limited to my undeletable VISITED: entries; for example, a later VISITED: entry reads exactly as follows:

VISITED:
Administrator@http://www.windowsbbs.com/showthread.php?t=37605&page=3&pp=15
Last access : 11/25/2004 11:26:10 AM Expire on : 12/6/2004 11:19:00 AM

That windowsbbs entry deletes easily. Anyway, apparently I cannot locate the two undeletable entries using RegSeeker. Know another way? By the way, I just checked and they are still there and still undeletable.]

Safe to just delete the history entry.

[Good, done.]

If you deleted the HOSTS files, then you are probably left without one. Search again with the reader and if not one in the default location, click use default. (May have to uncheck the lock in Spybot first. Strange to me that it would already be locked if not present though.)

[For the record please know when I searched again HostsFileReader found this text only:

# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

But it said it was reading from "C:\WINNT\Hosts ", not c:\winnt\system32\drivers\etc\hosts. Which seems odd because there is no such path C:\WINNT\Hosts, and no hosts file in c:\winnt\system32\drivers\etc\ other than lmhosts.sam which is entirely MS comment (I do not use a LAN).

So, anyway, I clicked Reset Default, and HostsFileReader now shows I have two hosts file, one in the default location which is exactly like your example, and the other being the same C:\WINNT\Hosts file with the SpyBot non-entries which I cannot navigate to. So, I'm wondering whether SpyBot will lock one, the other, or both.]

Then, in Spybot, click immunize in the left pane, then immunize again, this time from above with the green + beside it. [Done.] Click the link below that for SpywareBlaster, download, install, enable all protection and update. [Done.] Check for updates regularly. [Okay.] Then, still in Spybot, again lock the HOSTS file. [Done.] You could again lock the IE control panel if you want too. [Not done, yet.]
Then download and install IESpyad. [Done.]

That will give you an added layer of protection against unwanted parasites. [Looks very good, many thanks.]

Fix the following with HJT.

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O19 - User stylesheet: (file missing)

[Done.]

Run disk cleanup on E: drive. [Done.] Use right click delete on next boot option to tag the mail files on both drives [Done, though RAV only found them in C: and I could not explore to them in E:], empty the recycle bin [Done.] and reboot. Run another scan and post new logs, HJT included. [Done, see below.]

RAV scan screen at end of scan:

Scan started at 11/26/2004 10:59:18 AM

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
Objects: 60273
Directories: 3948
Archives: 2748
Size(Kb): 1449102
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 14633

RAV scan "report " [This is the table that pops up after pressing the "report" button. That button did not work before now. Also, when I navigated to the RAV scan page this time, after making the above changes, it would not fully load until I added its url to IE's trusted zone.]

Statistics

Scanned files: 60273
Scanned directories: 3948
Scanned archives: 2748
Size of the scanned files: 1483880632
Packed files: 708
Known viruses found: 0
Virus bodies: 0
Suspicious files: 0

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 214104
Mail files: 14633

Found viruses
No virus found


Logfile of HijackThis v1.98.2
Scan saved at 12:06:55 PM, on 11/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\My download files\Anti-virus, hijack, etc admin tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe "
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - Global Startup: PGPtray.lnk = C:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .swf: C:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\npswf32.dll
O15 - Trusted Zone: http://www.ravantivirus.com
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35C49DEC-5288-4944-AFC5-1A7D0B51A5A5}: NameServer = 198.182.207.3 198.187.188.2



If you get another shutdown error out of IE, click the details button and post the info please. [No such errors since the one mentioned. By the way, that error message was odd; it had no details button, just a "Cancel" button; its message was to restart IE (I cannot quote it); I hit cancel, did not restart IE, but just shut down.]

Happy Turkey Day to you too. [Mine was great, I managed not to over-eat or -drink. I am thankful so many helpful people have worked on these problems.] jj

 

Dave, in case you were waiting for the 29th to go by, please know I was too. Today is the 30th and I just ran RegSeeker > Histories > IE Explorer Cache Cookies (Index.dat), selected all, and tried to delete all but those two stubborn entries still remained. I should mention that in the time being I have surfed about freely without encountering any symptoms of the kinds described before. Yet I assume the creatures who planted these entries and made them undeletable had a purpose that is not benign. Any ideas? Should I try deleting every Index.dat file? jj

 

Sorry I didn't get back to you jj. LOL, no, I wasn't waiting for the 29th to go by. I was actually trying to figure out how to get those stubborn Visited urls out. I have 23 of them myself. I've been through the registry, deleted index.dats, cleared History in IE, cleared Autocomplete options, plus several other things, all to no avail. I'm just out of ideas right now. If I figure it out, I will surely let you know.

The HOSTS file.......Use the reader to delete the one it says is in C:\WINNT

Happy to hear you haven't had any more problems. Keep SpywareBlaster and Spybot updated. They continually add sites to their list of restricteds.

Thanks for posting back.

 

Hi

Just a thought but did you delete the favorites that nastie made ?

 

Lonny, I did not notice them until you suggested that, then I deleted them, then my attention was hijacked so I forgot to reply until now. There were ten or so, the creatures. jj